Who’s knocking on your network door?

Related Links

If all network users were secured behind their organizations’ firewalls, giving them access to systems would be relatively simple. But as more people log on to networks remotely, controlling who can enter and what resources they can access is becoming more complex.

As a result, government officials are looking for solutions that can serve as sentries for ballooning populations of local and remote users. They want to allow users into their networks while supervising access to particular applications and data.

Caymas Systems, a 4-year-old company based in San Jose, Calif., is at the forefront of a class of products that provides the kind of identity-driven security the new communications environment demands. Instead of using the old rule-based techniques, which can threaten security as rule sets increase in complexity, the new tools control access based on users’ identities.

The company’s Identity-Driven Access Gateways build on an organization’s existing permissions infrastructure under Microsoft Active Directory or Lightweight Directory Access Protocol. They define detailed permissions to access resources such as files, e-mail, Web services and networks for each user or group of users.

Caymas gateways are not intended to replace firewalls located at network peripheries, said Sanjay Uppal, the company’s executive vice president of product management, marketing and business development. Firewalls are still needed to provide a basic level of security for an enterprise.

“But firewalls are poor at identifying who a particular user is and where they are coming from,” he said. “Caymas provides the finer granularity of control that enables that level of access.”

The company’s gateways could replace firewalls that are used inside networks to guard specific resources such as application servers, he said.

They also offer administrators the ability to determine what software is running on a remote machine someone is using to gain access to the network and whether it is compromised, Uppal said. Coupled with identity access, the products facilitate an even finer level of access control, he said.

The Chicago Police Department recently chose the Caymas system to help with its plan to make multiple custom applications available to a greater number of police and detectives in Illinois. Officials eventually want to make the applications accessible to forces in neighboring states such as Indiana and Wisconsin.

“In the past, we had used a leased line or [virtual private network] to do this, but that gradually became really cumbersome and costly,” said Thomas Zang, the department’s chief information security officer. “Leased line costs are very burdensome for the smaller departments, and managing VPNs is complex.”

Nevertheless, department officials considered setting up a VPN until Zang came across the Caymas gateways at a trade show and saw that they offered much of the remote access management functions the department wanted.

Having the Caymas system, which also provides Secure Sockets Layer encryption and IPSecurity VPN services, doesn’t mean the department will be getting rid of the VPNs it already has, Zang said. But it does mean officials won’t have to expand their use.

In the remote-access market, Caymas competes against established players such as Cisco Systems and Nortel Networks, which also have gateway products that handle VPN termination, said Robert Whiteley, an analyst at Forrester Research.

The company is also a player in the local-access market, and Whiteley believes those capabilities will be critical because they must accommodate a greater number of users compared with remote-access demands.

Caymas is the first company with a product that can handle both, Whiteley said.

The identity-driven difference

Caymas Systems’ access gateways identify and authenticate network users and then uniquely tag all communications associated with their individual sessions.

The company’s identity-tagging technology allows the gateways to answer the following questions for every request and every response:

1. Who is the user? The gateways tag each request with the authenticated user’s identity.

2. Where can the user go? The technology authorizes or blocks requests for specific resources based on a user’s identity.

3. Is the user behaving? The technology analyzes each authorized request during a user’s session. If a request is deemed malicious, the technology can block it and issue an alarm.

4. What did the user do? The gateways log user activities and resource requests on a per-user and per-resource basis.